Attackers can manipulate files transferred via WhatsApp and Telegram

[Brother]

Symantec experts warned that attackers can manipulate media files transmitted through WhatsApp and Telegram messengers for Android. The point is that these applications use external storage, which threatens the security of their users.

To understand the problem, you need to understand that in addition to the common external storage for applications, which is usually formed from an SD card or USB drive, as well as the free space remaining on the device itself, there is also internal storage ( Internal Storage, aka System Memory). The internal storage is formed on the hardware built into the device, and it is in it that the OS, system applications, drivers and some data of applications installed by the user are located.

Each installed application can allocate space in the internal storage for its own needs, which will be isolated, and other applications will not be able to access it. But due to the fact that space on any device is limited, many developers try not to abuse the use of Internal Storage and allow users to install their products in external storage. But the situation with defense is much worse there.

In their report, Symantec experts describe the Media File Jacking attack technique, which allows a malicious Android application to manipulate files sent or received via WhatsApp and Telegram. The substitution occurs at the moment between writing files to the storage and loading them in the application interface. This method works against WhatsApp with default settings and against Telegram if the user has enabled the Save to gallery option.

Researchers note that such attacks can be used in very different ways, for example, for extortion, substitution of information about bank accounts in a file (that is, the victim will eventually send funds to the cybercriminals' account), and because of this, fake ones may appear on Telegram channels. news.

Symantec specialists have already informed the developers of WhatsApp and Telegram about the risks. WhatsApp representatives replied that, in their opinion, Google engineers should solve this problem. So, in the upcoming release of Android Q, the Scoped Storage feature will appear, which will change the way applications work with files in external storage. The Telegram developers did not comment on the experts' report in any way.

Symantec believes that application developers should take care of preventing such attacks by verifying the integrity of files before loading them into the application, storing files in internal storage when possible, and applying encryption to media files, as it does with text.

Since Symantec analysts have created a malicious PoC application that clearly demonstrates Media File Jacking attacks in practice, you can see examples of file manipulation below.

It must be said that the Media File Jacking attack is very similar to the Man-in-the-Disk attack described by Check Point analysts last year. Then the researchers warned that the use of external storage by applications is fraught with many risks, and malware that has penetrated the device can attack neighboring applications, disable them or completely replace them with malicious versions.